Getting Started: Splunk Setup
On Splunk, install the Splunk Add-on for AWS, which adds the ability to send alerts to SNS.
Configure the app with some AWS credentials. The IAM user or role must have SNS Publish/Get/List perms to SNS topic
squyre-Alert
.Update one of your Splunk saved searches, adding a
strcat
at the end to combine all the fields you think are of use to a new field calledinteresting
.
<awesome detection logic> | stats values(src_ip) as src_ip by dest_user | eval Detection="A test alert" | strcat src_ip "," dest_user interesting
Add an
AWS SNS Alert
action to your scheduled search, updating theMessage
field of the action to$result.interesting$
.Also fill out the Account and Region fields per the AWS Tech Add-on documentation. The topic should be set to
squyre-Alert
.